09-25-2020 04:50 AM
Hello
It's all about failover.
We are running a couple of FirePower 4150 appliances at two different locations. They are not in cluster mode.
On top we run ASA code in Multiple Context Mode and with 20 Transparent Contexts. Active/Standby.
Setup:
Port-Channel 1 is used for Zone Traffic Inside and Outside (Subinterfaces, ie. Po1.2048 and Po1.3048)
Port-Channel 2 is used for Failover (2 Subinterfaces STATE and LAN)
Port-Channel 3 is used for Management Access
If I run "show failover" I see: "admin Interface management (10.9.200.34): Normal (Monitored)".
No other interface is monitored.
I guess it would make sense to monitor Port-Channel 1 as well.
Questions:
1. The FirePower appliance does not communicate to its mate, so Port-Channel 1 must be monitored on the ASA (Subinterface). Correct?
2. Does it make sense to monitor more than 1 Subinterface of Port-Channel 1?
3. I often read, that only the Inside Interface should be monitored. Why not Outside as well? (on our ASA-5555 VPN Gateways we do so.)
4. Does it even make sense to monitor Port-Channels for failover, as they provide redundancy anyway?
Any input is highly appreciated. Many Thanks.
Thomas
09-25-2020 06:46 AM
is the managment interface part of - Port-Channel 3 is used for Management Access ?
09-25-2020 06:58 AM
The 1-Gbps Interface is only used to manage the Chassis.
Only the (virtual) ASA is managed through Port-Channel 3 (2 Ten-Gig Interfaces; little overkill).
Thomas
10-21-2020 10:46 AM
Subinterfaces are not monitored by default but I recommend you enable it for both Po1 subinterfaces with the monitor-interface command.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: